Added trusted proxies

This commit is contained in:
Igor Scheller 2018-08-13 16:30:27 +02:00 committed by msquare
parent 6415882b1c
commit bf6efe532c
5 changed files with 100 additions and 25 deletions

View File

@ -126,4 +126,7 @@ return [
'3XL' => '3XL', '3XL' => '3XL',
'4XL' => '4XL' '4XL' => '4XL'
], ],
// IP addresses of reverse proxies that are trusted, can be an array or a comma separated list
'trusted_proxies' => env('TRUSTED_PROXIES', ['127.0.0.0/8', '::ffff:127.0.0.0/8', '::1/128']),
]; ];

View File

@ -33,3 +33,9 @@ FROM php:7-fpm-alpine
COPY --from=data /app/ /var/www COPY --from=data /app/ /var/www
RUN apk add --no-cache icu-dev gettext-dev && \ RUN apk add --no-cache icu-dev gettext-dev && \
docker-php-ext-install intl gettext pdo_mysql docker-php-ext-install intl gettext pdo_mysql
ENV TRUSTED_PROXIES 10.0.0.0/8,::ffff:10.0.0.0/8,\
127.0.0.0/8,::ffff:127.0.0.0/8,\
172.16.0.0/12,::ffff:172.16.0.0/12,\
192.168.0.0/16,::ffff:192.168.0.0/16,\
::1/128,fc00::/7,fec0::/10

View File

@ -1,35 +1,42 @@
error_log stderr; error_log stderr;
events { events {
worker_connections 1024; worker_connections 1024;
} }
http { http {
client_body_temp_path /tmp/client_body_temp; client_body_temp_path /tmp/client_body_temp;
fastcgi_temp_path /tmp/fastcgi_temp; fastcgi_temp_path /tmp/fastcgi_temp;
proxy_temp_path /tmp/proxy_temp; proxy_temp_path /tmp/proxy_temp;
scgi_temp_path /tmp/scgi_temp; scgi_temp_path /tmp/scgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp; uwsgi_temp_path /tmp/uwsgi_temp;
map $http_x_forwarded_proto $forwarded_proto {
default $http_x_forwarded_proto;
https https;
}
server { server {
include mime.types; include mime.types;
access_log off; access_log off;
listen [::]:80 ipv6only=off; listen [::]:80 ipv6only=off;
proxy_redirect off; proxy_redirect off;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
index index.php; proxy_set_header X-Forwarded-Proto $forwarded_proto;
root /var/www/html; index index.php;
root /var/www/html;
location / { location / {
try_files $uri $uri/ /index.php?$args; try_files $uri $uri/ /index.php?$args;
} }
location ~ \.php$ { location ~ \.php$ {
fastcgi_pass engelsystem:9000; fastcgi_pass engelsystem:9000;
fastcgi_index index.php; fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on; include fastcgi_params;
include fastcgi_params;
} }
} }
} }

View File

@ -8,7 +8,34 @@ class RequestServiceProvider extends ServiceProvider
{ {
public function register() public function register()
{ {
$config = $this->app->get('config');
$trustedProxies = $config->get('trusted_proxies', []);
if (!is_array($trustedProxies)) {
$trustedProxies = empty($trustedProxies) ? [] : explode(',', preg_replace('~\s+~', '', $trustedProxies));
}
/** @var Request $request */
$request = $this->app->call([Request::class, 'createFromGlobals']); $request = $this->app->call([Request::class, 'createFromGlobals']);
$this->setTrustedProxies($request, $trustedProxies);
$this->app->instance('request', $request); $this->app->instance('request', $request);
} }
/**
* Set the trusted Proxies
*
* Required for unit tests (static methods can't be mocked)
*
* @param Request $request
* @param array $proxies
* @param int $trustedHeadersSet
* @codeCoverageIgnore
*/
protected function setTrustedProxies(
$request,
$proxies,
$trustedHeadersSet = Request::HEADER_FORWARDED | Request::HEADER_X_FORWARDED_ALL
) {
$request->setTrustedProxies($proxies, $trustedHeadersSet);
}
} }

View File

@ -2,6 +2,8 @@
namespace Engelsystem\Test\Unit\Http; namespace Engelsystem\Test\Unit\Http;
use Engelsystem\Config\Config;
use Engelsystem\Container\ServiceProvider;
use Engelsystem\Http\Request; use Engelsystem\Http\Request;
use Engelsystem\Http\RequestServiceProvider; use Engelsystem\Http\RequestServiceProvider;
use Engelsystem\Test\Unit\ServiceProviderTest; use Engelsystem\Test\Unit\ServiceProviderTest;
@ -10,20 +12,50 @@ use PHPUnit_Framework_MockObject_MockObject as MockObject;
class RequestServiceProviderTest extends ServiceProviderTest class RequestServiceProviderTest extends ServiceProviderTest
{ {
/** /**
* @covers \Engelsystem\Http\RequestServiceProvider::register() * @return array
*/ */
public function testRegister() public function provideRegister()
{ {
/** @var MockObject|Request $request */ return [
$request = $this->getMockBuilder(Request::class) ['', []],
->getMock(); [[], []],
['192.168.10.99', ['192.168.10.99']],
[' 234.234.234.234 ', ['234.234.234.234']],
['123.234.123.234,10.0.0.0/8', ['123.234.123.234', '10.0.0.0/8']],
['123.123.234.234 , ' . PHP_EOL . ' 11.22.33.44/22 ', ['123.123.234.234', '11.22.33.44/22']],
[['10.100.20.0/24'], ['10.100.20.0/24']],
];
}
$app = $this->getApp(['call', 'instance']); /**
* @dataProvider provideRegister
* @covers \Engelsystem\Http\RequestServiceProvider::register()
*
* @param string|array $configuredProxies
* @param array $trustedProxies
*/
public function testRegister($configuredProxies, $trustedProxies)
{
/** @var Config|MockObject $config */
$config = $this->getMockBuilder(Config::class)->getMock();
/** @var Request|MockObject $request */
$request = $this->getMockBuilder(Request::class)->getMock();
$app = $this->getApp(['call', 'get', 'instance']);
$this->setExpects($app, 'call', [[Request::class, 'createFromGlobals']], $request); $this->setExpects($app, 'call', [[Request::class, 'createFromGlobals']], $request);
$this->setExpects($app, 'get', ['config'], $config);
$this->setExpects($app, 'instance', ['request', $request]); $this->setExpects($app, 'instance', ['request', $request]);
$this->setExpects($config, 'get', ['trusted_proxies'], $configuredProxies);
$serviceProvider = new RequestServiceProvider($app); /** @var ServiceProvider|MockObject $serviceProvider */
$serviceProvider = $this->getMockBuilder(RequestServiceProvider::class)
->setConstructorArgs([$app])
->setMethods(['setTrustedProxies'])
->getMock();
$serviceProvider->expects($this->once())
->method('setTrustedProxies')
->with($request, $trustedProxies);
$serviceProvider->register(); $serviceProvider->register();
} }
} }